Security Bulletin
Microsoft Security Bulletin MS02-017 - Moderate
Unchecked buffer in the Multiple UNC Provider Could Enable Code Execution (Q311967)
Published: April 04, 2002 | Updated: February 28, 2003
Version: 1.2
Originally posted: April 04, 2002
Updated: February 28, 2003
Summary
Who should read this bulletin: Customers using Microsoft® Windows NT®, Windows® 2000 and Windows XP
Impact of vulnerability: Local privilege elevation and run code of attacker's choice.
Maximum Severity Rating: Moderate
Recommendation: Administrators should consider applying the patch to machines that allow unprivileged users to log onto them interactively such as workstations and Terminal Servers.
Affected Software:
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4 Terminal Server Edition
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
General Information
Technical details
Technical description:
The Multiple UNC Provider (MUP) is a Windows service that assists in locating network resources that are identified via UNC (uniform naming convention). The MUP receives commands containing UNC names from applications and sends the name to each registered UNC provider, LAN Manager workstation, and any others that are installed. When a provider identifies a UNC name as its own, the MUP automatically redirects future instances of that name to that provider.
When MUP receives a file request, it allocates a buffer in which to store it. There is proper input checking in this first buffer. However, MUP stores another copy of the file request in a buffer when it sends this request to a redirector. This second copy of the buffer does not check inputs correctly, thereby creating the possibility that a resource request to it from an unprivileged process could cause a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with Local System privileges.
Mitigating factors:
- The MUP request can only be levied by a process on the local system. As a result, the vulnerability could only be exploited by a user who could log onto an affected system interactively.
- On Windows 2000 systems, the vulnerability could not reliably be used to run code. This is because the attacker would need to know where the buffer was located in memory, but in Windows 2000 this is not externally discoverable or controllable. .
- Best practices suggests that unprivileged users not be allow to interactively log onto business-critical servers. If this recommendation has been followed machines such as domain controllers, ERP servers, print and file servers, database servers, and others would not be at risk from this vulnerability.
Severity Rating:
| Internet Servers | Intranet Servers | Client Systems | |
|---|---|---|---|
| Windows NT 4.0 | Low | Low | Moderate |
| Windows NT 4.0 Terminal Server Edition | Low | Moderate | None |
| Windows 2000 | Low | Low | Moderate |
| Windows 2000 Terminal Services | Low | Moderate | None |
| Windows XP | Low | Low | Moderate |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2002-0151
Tested Versions:
Microsoft tested Windows NT 4.0, Windows 2000 and Windows XP to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
What's the scope of the vulnerability?
This is a buffer overrun buffer overflow that results in a privilege elevation vulnerability. If an attacker successfully exploited this vulnerability, he could gain complete control over the machine. This would allow him to take any desired action on the machine, such as adding, deleting, or modifying data on the system, creating or deleting user accounts, and adding accounts to the local administrators group.
In order to exploit this vulnerability, the attacker would need to be able to log on locally. This means the attacker would need the ability to log onto the target machine interactively and run code on the system. By default, unprivileged users cannot interactively log onto NT4 Domain Controllers, and if normal security precautions have been taken, the only machines at risk will be workstations and terminal servers.
What causes the vulnerability?
The vulnerability results because the MUP (Multiple UNC Provider) service contains an unchecked buffer. By sending a specially malformed request, it could be possible conduct a buffer overrun attack against an affected system.
What is UNC?
UNC(Uniform naming convention) is a method of identifying resources such as share names or files on a network. A typical UNC name begins with two backslashes followed by a server name:
\\server\share\subdirectory\filename
What is MUP?
The Multiple UNC Provider (MUP) is a Windows service that assists in locating network resources that are identified via UNC (uniform naming convention). The MUP receives commands containing UNC names from applications and sends the name to each registered UNC provider, LAN Manager workstation, and any others that are installed. When a provider identifies a UNC name as its own, the MUP automatically redirects future instances of that name to that provider.
What's wrong with MUP?
When MUP requests a file using the uniform naming convention (UNC), it will allocate a buffer to store this request. There is proper input checking on this first buffer. However, MUP stores another copy of the file request in a buffer when it sends this request to a redirector. This second copy of the buffer does not check inputs correctly. As a result, it could be possible for a MUP request to result in a buffer overrun.
What could the attacker do with this vulnerability?
The attacker could use this vulnerability to run code in the context of the LocalSystem account, that is, as the operating system itself. However, it is possible the buffer overflow will not always be successful and in this instance, the attacker could create a denial of service situation by rebooting the target machine. If the attacker is successful in elevating privilege to that of LocalSystem, the attacker could take any desired action on the machine.
How could an attacker exploit this vulnerability?
The attacker would first need the ability to log on to the target machine with valid user credentials. Once logged in, the attacker would have to be able to copy a program that calls the MUP service in a way that exploits the vulnerability.
Could this vulnerability be exploited remotely?
No. The attacker's program would need to run locally on the machine. This means the attacker would need the ability to log onto the machine interactively and start the malicious program. This is an important point, because, if normal security restrictions are observed, unprivileged users will not be able to log onto critical machines such as domain controllers, and as a result would be unable to attack them.
What systems would be most at risk?
Workstations and terminal servers are at the greatest risk for this vulnerability because they let users log on interactively by design.
Why is this is harder to exploit on Windows 2000?
The kernel manages the second copy of the buffer which this vulnerability overflows. The kernel is not externally controllable and therefore unpredictable. The result would most likely be a system blue screen or reboot.
What does the patch do?
The patch eliminates the vulnerability by instituting proper input checking on the MUP service.
Patch availability
Download locations for this patch
- Windows NT 4.0: https://www.microsoft.com/download/details.aspx?FamilyId=71B6135C-F957-4702-B376-2DACCE773DC0&displaylang;=en
- Windows NT 4.0 Terminal Server Edition: https://www.microsoft.com/download/details.aspx?FamilyId=677229F8-FBBF-4FF4-A2E9-506D17BB883F&displaylang;=en
- Windows 2000: https://www.microsoft.com/download/details.aspx?FamilyId=F4F66D56-E7CE-44C3-8B94-817EA8485DD1&displaylang;=en
- Windows XP: https://www.microsoft.com/download/details.aspx?FamilyId=5FA055AE-A1BA-4D4A-B424-95D32CFC8CBA&displaylang;=en
- Windows XP 64-bit Edition: https://www.microsoft.com/download/details.aspx?FamilyId=50E4FB51-4E15-4A34-9DC3-7053EC206D65&displaylang;=en
Additional information about this patch
Installation platforms:
Windows NT 4.0:
The Windows NT 4.0 patch can be installed on systems running Service Pack 6a
The Windows NT 4.0 Terminal Server Edition patch can be installed on systems running Windows NT 4.0 TSE Service Pack 6.
Windows 2000:
This patch can be installed on systems running Windows 2000 Service Pack 1 or Windows 2000 Service Pack 2
The patch for Windows XP can be installed on systems running Windows XP Gold.
Inclusion in future service packs:
- The fix for this issue will be included in Windows 2000 Service Pack 3.
- The fix for this issue will be included in Windows XP Service Pack 1.
Reboot needed: Yes
Superseded patches: None.
Verifying patch installation:
Windows NT 4.0 Service Pack 6a:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q312895
- To verify the individual files, consult the file manifest in Knowledge Base article Q311967. The information in this article supersedes the information that was in Q312895.
Windows NT 4.0 Terminal Server Edition Service Pack 6:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q312895.
- To verify the individual files, consult the file manifest in Knowledge Base article Q311967. The information in this article supersedes the information that was in Q312895.
Windows 2000 Service Pack 2:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q311967
- To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q311967\Filelist
Windows XP:
- To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q311967
- To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q311967\Filelist
Caveats:
None
Localization:
Localized versions of this patch are currently available, at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks NSFocusfor reporting this issue to us and working with us to protect customers.
Support:
- Microsoft Knowledge Base article Q311967 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (April 04, 2002): Bulletin Created.
- V1.1 (April 16, 2002): Bulletin updated to clarify that Windows XP Home Edition is also affected.
- V1.2 (February 28. 2003): Updated download links in Additional Information Section
Built at 2014-04-18T13:49:36Z-07:00